CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 19 of 19

Thread: NAT Issue with SecureXL

  1. #1
    Join Date
    2016-10-31
    Posts
    53
    Rep Power
    7

    Default NAT Issue with SecureXL

    I am running R77.30 VSX Gateway on open server.When I have NAT Policy with SecureXL enabled the NAT Translation does not work.If I disable the SecureXL the NAT Translation works.
    Has anyone come across with this situation and how it can be resolved ?

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    10

    Default Re: NAT Issue with SecureXL

    Quote Originally Posted by ba3113 View Post
    I am running R77.30 VSX Gateway on open server.When I have NAT Policy with SecureXL enabled the NAT Translation does not work.If I disable the SecureXL the NAT Translation works.
    Has anyone come across with this situation and how it can be resolved ?
    That's odd. How did you find this out? Just user experience or some logs?

  3. #3
    Join Date
    2016-10-31
    Posts
    53
    Rep Power
    7

    Default Re: NAT Issue with SecureXL

    We are doing some feature testing on R77.30 and found this problem

  4. #4
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    9

    Default Re: NAT Issue with SecureXL

    Could the issue be related to the traffic you are testing? What, exactly, is the issue at hand? What kind of traffic is involved? How do you see that NAT is not taking place?

  5. #5
    Join Date
    2006-09-26
    Posts
    3,200
    Rep Power
    20

    Default Re: NAT Issue with SecureXL

    Quote Originally Posted by jdmoore0883 View Post
    Could the issue be related to the traffic you are testing? What, exactly, is the issue at hand? What kind of traffic is involved? How do you see that NAT is not taking place?
    I remembered running into a similar situation like this one as well.

    I was testing "hide" NAT with SQLnet, both client and server hosts are Linux. I remembered that with SecureXL enable, sqlnet didn't work. When I turned off SecureXL "fwaccel off", sqlnet starts working again.
    I think I was testing at the time was just R77.30 with no HFA.

    I was just testing out R77.30 at the time so I didn't open a TAC case.

    Try to apply the latest HFA (I sound like Checkpoint) and see if you still have issues :-)

  6. #6
    Join Date
    2016-10-31
    Posts
    53
    Rep Power
    7

    Default Re: NAT Issue with SecureXL

    I am running Jumbo fix Take_185.Its normal HTTP,DNS and ping traffic.

  7. #7
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    9

    Default Re: NAT Issue with SecureXL

    How are you seeing that NAT is not taking place? What NAT rule should be applied to this traffic?

  8. #8
    Join Date
    2016-10-31
    Posts
    53
    Rep Power
    7

    Default Re: NAT Issue with SecureXL

    Yes Nat is not applying to traffic when SecureXL applied.I have simply configure Automatic Nat , static Nat , Manual Nat (Static , dynamic , PAT) I have tried all combination of NAT but NAT does not work.
    Moreover if I create manual NAT but its does not work at all even SecureXL disabled.The firewall not doing Nating.

    SecureXL enabled
    ============
    When I enabled the Tcpdump on egress and ingress I can see traffic going through firewall and has firewall interface mac address.The Traffic is without Natting.
    When I enabled the FW Monitor it not showing anything into capture.Its not showing single flow of chain module.

    SecureXL Disabled
    ============
    When I enabled the Tcpdump on egress and ingress I can see traffic going through firewall and has firewall interface mac address.The Traffic is without Natting.
    When I enabled the FW Monitor it showing traffic into capture and showing all chain module in flow.

  9. #9
    Join Date
    2016-10-31
    Posts
    53
    Rep Power
    7

    Default Re: NAT Issue with SecureXL

    Yes Nat is not applying to traffic when SecureXL applied.I have simply configure Automatic Nat , static Nat , Manual Nat (Static , dynamic , PAT) I have tried all combination of NAT but NAT does not work.
    Moreover if I create manual NAT but its does not work at all even SecureXL disabled.The firewall not doing Nating.

    SecureXL enabled
    ============
    When I enabled the Tcpdump on egress and ingress I can see traffic going through firewall and has firewall interface mac address.The Traffic is without Natting.
    When I enabled the FW Monitor it not showing anything into capture.Its not showing single flow of chain module.

    SecureXL Disabled
    ============
    When I enabled the Tcpdump on egress and ingress I can see traffic going through firewall and has firewall interface mac address.The Traffic is with Natting.
    When I enabled the FW Monitor it showing traffic into capture and showing all chain module in flow and traffic is getting NAT.

  10. #10
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    18

    Default Re: NAT Issue with SecureXL

    What kind of NAT is this? Hide, Static? manual, automatic?
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  11. #11
    Join Date
    2016-10-31
    Posts
    53
    Rep Power
    7

    Default Re: NAT Issue with SecureXL

    I tried all combination of Nat (Static , Hide) with Automatic and Manual.Manual NAT does not work at all but Automatic Nat work when disable SecureXL.

  12. #12
    Join Date
    2016-10-31
    Posts
    53
    Rep Power
    7

    Default Re: NAT Issue with SecureXL

    I have tried same secnario in R77.20 and looks like all NAT works (Automatic and manual) without any issue even SecureXL enabled so it means something not right with R77.30. Probably need some hotfix which are due to release.

  13. #13
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    18

    Default Re: NAT Issue with SecureXL

    Quote Originally Posted by ba3113 View Post
    I tried all combination of Nat (Static , Hide) with Automatic and Manual.Manual NAT does not work at all but Automatic Nat work when disable SecureXL.
    Why manual NAT did not work? Are you NAT-ing behind an IP that does not belong to a FW?
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  14. #14
    Join Date
    2016-10-31
    Posts
    53
    Rep Power
    7

    Default Re: NAT Issue with SecureXL

    I have tried two address range one is belong to FW subnet and one is not belongs to but does not work in R77.30 but this combination works in R77.20

  15. #15
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    18

    Default Re: NAT Issue with SecureXL

    Quote Originally Posted by ba3113 View Post
    I have tried two address range one is belong to FW subnet and one is not belongs to but does not work in R77.30 but this combination works in R77.20
    Interesting. I suspect a config issue here from the start. Can you get more details about how you configure those ranges. Let's start with Automatic NAT hide.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  16. #16
    Join Date
    2016-10-31
    Posts
    53
    Rep Power
    7

    Default Re: NAT Issue with SecureXL

    External connection has 192.168.0.0/24 Subnet
    Internal Connection has 192.168.10.0/24 & 192.168.11.0/24 Subnet
    I have a windows Server with address 192.168.10.24.I have enabled the NAT under node object and use Hide Behind Gateway Address and apply policy.If SecureXL disabled it works.If SecureXL enable it does not work.
    I enabled Hide Behind Gateway for the same object and hide address is 192.168.0.24 or 192.168.14.24 and apply policy.If SecureXL disabled it works.If SecureXL enable it does not work.

    If I use same config in R77.20 they works without any issue.

  17. #17
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    18

    Default Re: NAT Issue with SecureXL

    Thanks. Seems to be a bug after all. I would advise you to open a support case with Check Point.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  18. #18
    Join Date
    2013-05-02
    Posts
    2
    Rep Power
    0

    Default Re: NAT Issue with SecureXL

    Was there ever a resolution from Checkpoint? We're seeing the very same issue on a fresh install of R77.30 on new hardware that we restored a previous configuration from old hardware.

  19. #19
    Join Date
    2013-05-02
    Posts
    2
    Rep Power
    0

    Default Re: NAT Issue with SecureXL

    Quote Originally Posted by matt.taber View Post
    Was there ever a resolution from Checkpoint? We're seeing the very same issue on a fresh install of R77.30 on new hardware that we restored a previous configuration from old hardware.
    During the restore of configurations onto the new hardware, it was advised by a CP SK article to bypass the 1st time configuration wizard. While doing that, everything appeared to be installed correctly. When we went to run 'cpconfig' to reset SIC, we were prompted w/ the CLI version of the EULA and 1st time config wizard. We ran the 1st time wizard and everything configuration wise was still in tact after the wizard completed. We ran into many strange connectivity issues. We ended up rebuilding each of the firewalls, running the 1st time wizard, THEN restoring from backup. Once complete, we no longer had any of the weird issues, specifically the issue with NAT not working with SecureXL enabled.

Similar Threads

  1. SecureXL S2S VPN NAT Issues
    By ShadowPeak.com in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2015-10-28, 14:29
  2. VPN and SecureXL
    By manrag in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2010-09-28, 08:24
  3. SecureXL
    By Testing-123 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2008-09-17, 17:02
  4. SecureXL trouble
    By cciesec2006 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2008-02-17, 23:56
  5. SecureXL
    By charliey_2000 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 12
    Last Post: 2007-12-27, 16:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •